Angular is broken, in which case the user gets confused. A button that shouldn’t be clickable is clickable. Not a big deal from a security perspective, and something that is the framework’s responsibility, not the app’s.

qq() does something inherently requiring specific permissions, and the user absolutely shouldn’t be able to do that thing unless all those conditions in [disabled] are aligned properly. A big deal from a security perspective, but also one that is completely incapable of being handled within the app, period. The restriction would have to be enforced on a server.

It may be worthwhile both for readability and performance sake to collapse that complicated [disabled] expression into a single controller property, though.